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(54) Scheme for fast realization of encryption, decryption and authentication 



(57) A new scheme for fast realization of encryption, 
decryption and authentication which can overcome the 
problems of the RSA cryptosystem is disclosed. The 
encryption obtains a ciphertext C from a plaintext M 
according to C - M e (mod n) using a first secret key 

given by N 2) prime numbers Pi , P2 

p N , a first public key n given by a product Pi k 1 P2 k 2 

p N k N where k1, k2, , kN 

are arbitrary positive integers, a second public key e 
and a second secret key d which satisfy ed = 1 (mod L) 
where L is a least common multiple of p n -1 t P2-I. 



2 k 2, 

k 2 



, p N -1 . The decryption recovers the plain- 
text M by obtaining residues M p 1 k 1, M p 

M P n k n modulo Pi k 1 , P 2 

• - , p N k N , respectively, of the plaintext M 

using a prescribed loop calculation with respect to the 

first secret key Pi , P2 . Pn • anc * by 

applying the Chinese remainder theorem to the resi 



M 



pN k N 



This 



dues M p n k ! t Mp 2 k 2 , 

encryption/decryption scheme can be utilized for realiz- 
ing the authentication. 
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Description 

BACKGROUND OF THE INVENTION 
5 FIELD OF THE INVENTION 

[0001] The present invention relates to a scheme for fast realization of encryption, decryption and authentication 
which is suitable for data concealment and communicating individual authentication in communications for a digital TV, 
a pay-per-view system of the satellite broadcast, a key distribution in the information distribution, electronic mails, elec- 
70 tronic transactions, etc. 

DESCRIPTION OF THE BACKGROUND ART 

[0002] In recent years, in the field of communications, various types of cryptographic techniques have been proposed 
75 because the cryptographic technique can be effectively used for the protection of secrecy between communicating par- 
ties such as the concealment of information to be transmitted. The performances of such a cryptographic technique can 
be evaluated in terms of the security level of cryptosystem and the speed of encryption/decryption. Namely, the crypto- 
system for which the security level is high and the encryption/decryption speed is high is a superior cryptosystem. 
[0003] Among such cryptographic techniques, there is a type of public key cryptosystem that uses the modular expo- 
se? nent calculations, known as RSA (Rivest Shamir Adleman) cryptosystem, which is already in practical use. In this RSA 
cryptosystem, it has been shown thai the plaintext can be obtained from the ciphertext if the prime factoring of the public 
key can be made (see R. Rivest, A. Shamir and L. Adleman; "A method for obtaining digital signatures and public-key 
cryptosystems", Comm. ACM, Vol. 21, No. 2, pp. 120-126 (1978)). 

[0004] The public key cryptosystem such as RSA cryptosystem has its security based on the computational difficulty 
25 for obtaining the secret key from the public key which is a publicly disclosed information, so that the security level can 
be increased as much when a size of the public key is increased. On the other hand, the RSA cryptosystem has been 
associated with a drawback that it requires a considerable amount of time for encryption/decryption because it carries 
out higher degree modular exponent calculations and therefore the required amount of calculations is large. 
[0005] The encryption/decryption can be made faster by reducing the degree of the modular exponent calculations, 
30 for example, but that will require the reduction of the size of the public key and that in turn causes the lowering of the 
cryptosystem security. 

[0006] In the following, the RSA cryptosystem will be described in further detail. 

[0007] First, mutually different arbitrary prime numbers p and q are set as the first secret key, and the first public key 
n is obtained as: 

35 

n = pq 

while the least common multiple L of (p-1) and (q-1) is obtained as: 
40 L = lcm(p-1,q-1). 

[0008] Then, an arbitrary integer e is set as the second public key, and the second secret key d given by: 

ed« 1 (mod L) 

45 

is obtained using the Euclidean division algorithm. 

[0009] Then, a plaintext M and its ciphertext C can be expressed as follow: 

C - M e (mod n), 

50 

M e C d (mod n). 

[0010] Here, the value of the second public key e can be rather small like 13, for instance, so that the encryption 
processing can be made very fast, but the value of the second secret key d has a size nearly equal to n so that the 
55 decryption processing will be quite slow. 

[0011] On the other hand, the processing amount of the modular exponent calculations is proportional to the cube of 
the size of a number, so that by utilizing this property, the Chinese remainder theorem can be used in order to make the 
decryption processing faster. 
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[0012] The decryption processing using the Chinese remainder theorem proceeds as follows. 

d p = d (mod p-1), 

5 d q - d (modq-1), 

uq ■ 1 (mod p), 
M p - C dp (modp). 

10 

M q - C dq (modq), 
M- ((M p -M q )u(mod p))q+M q( 

75 where u is an inverse of q modulo p. 

[0013] Here, the size of each of p, q ( d p and d q is a half of the size of n so that the modular exponent calculations 
module p or q can be processed eight times faster, and as a result, the decryption processing as a whole can be made 
four times faster. 

[0014] Also, the RSA cryptosystem can be easily cryptoanalyzed if the prime factoring of n can be made. Currently, 
20 the potentially threatening prime factoring algorithms include the number field sieve method and the elliptic curve 
method. 

[0015] The required amount of calculations is of a quasi-exponential order of the size of n in the number field sieve 
method and of a quasi-exponential order of the size of a prime number in the elliptic curve method. The elliptic curve 
method is practically not a problem because of its high order calculations and large coefficients. On the other hand, the 
25 number field sieve method has a record for the prime factoring of the largest number realized so far, which is about 140 
figures in decimal. Consequently, attacks using these methods are not threatening in practice if n is 1 024 bits or so. 
[0016] In addition, there are cases where a public key cryptosystem apparatus can be used as an authentication 
apparatus by reversing the public key and secret key calculations in general. 

30 SUMMARY OF THE INVENTION 

[0017] It is therefore an object of the present invention to provide a new scheme for encryption, decryption and 
authentication which is capable of overcoming the problems associated with the conventionally known RSA cryptosys- 
tem as described above. 
as [0018] More specifically, objects of the present invention are: 

(1) to realize an encryption/decryption scheme which has the same security level compared with the known RSA 
cryptosystem on rational integer ring, 

(2) to realize an encryption/decryption scheme for which the encryption/decryption processing is faster than the 
40 conventional RSA cryptosystem, 

(3) to realize an encryption/decryption scheme which can also be utilized as an authentication scheme such that a 
single apparatus can be used for both the cipher communications and the authentication, and 

(4) to realize an authentication scheme for which the authenticator generation and the verification are faster than 
the known authentication scheme based on the conventional RSA cryptosystem. 

45 

[001 9] According to one aspect of the present invention there is provided an encryption method, comprising the steps 

of: setting N (§ 2) prime numbers p 1 , p 2 , , p N as a first secret key, and a product p/ 1 p 2 k 2 

p N k N as a first public key n, where k1 , k2, , kN are arbitrary positive integers; determining a second public 

key e and a second secret key d which satisfy: 

so 

ed m 1 (mod L) 

where L is a least common multiple of p r 1 , p 2 -1 p N -i , using the first secret key: and obtaining a cipher- 

text C from a plaintext M according to: 

55 

C « M G (mod n) 
using the first public key n and the second public key e. 
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[0020] According to another aspect of the present invention there is provided a decryption method for decrypting a 
ciphertext C obtained from a plaintext M according to: 

C - M e (mod n) 

5 

using a first secret key given by N (m 2) prime numbers p-j , p 2 , . Pn . a f ' rs t public key n given by a product 

Pi k 1 P2 k 2 ' Pn k N wn ere kl , k2, , kN are arbitrary positive integers, a second public key e 

and a second secret key d which satisfy: 

io ed « 1 (mod L) 

where L is a least common multiple of p r 1 , p 2 -l , , Pn-i . the method comprising the steps of: obtaining 

residues M p ^ k -j , M p 2 k 2 - ,M pNkN modulo p-| k 1 , p 2 k 2 . Pn k N . respectively, of the 

plaintext M using a prescribed loop calculation with respect to the first secret key p 1 , p 2 , , Pn ; and recov- 

15 ering the plaintext M by applying Chinese remainder theorem to the residues M p ^ k 1 , M p 2 k 2 , , M p N k N . 

[0021] According to another aspect of the present invention there is provided an authentication method for authenti- 
cating an authentication message sent from a sender to a receiver, comprising the steps of: (a) setting at the sender 

side a first secret key given by N 2) prime numbers p-j , p 2 , , p N , a first public key n given by a product 

Pi k 1 P2 k 2 p N k N where kl t k2, , kN are arbitrary positive integers, a second public key e 

20 and a second secret key d which satisfy: 

ed m 1 (mod L) 

where L is a least common multiple of p-j-1 , p 2 -1 , , Pn-1 ; (b) obtaining at the sender side an authenticator 

25 h(M) by hashing the authentication message M using a hash function h; (c) obtaining at the sender side an encrypted 
authenticator h(C) of the authenticator h(M) according to: 

h(M) - h(C) e (mod n) 

30 by obtaining residues h(C) p t h(C) p 2k2 , , h(C) p N k N modulo p 1 k 1 , p 2 k 2 , , p N k N , 

respectively, of the encrypted authenticator h(C) using a prescribed loop calculation with respect to the first secret key 

p 1 , p 2 , , p Nl and applying Chinese remainder theorem to the residues h(C) p t k -) , h(C) p 2 k 2 , 

, h(C) p N k N ; (d) sending the encrypted authenticator h(C) and the authentication message M from the 

sender to the receiver; (e) obtaining at the receiver side a first authenticator h(M)-| by calculating h(C) e (mod n) from the 

35 encrypted authenticator h(C) received from the sender using the second public key e; (f) obtaining at the receiver side 
a second authenticator h(M) 2 by hashing the authentication message M received from the sender using the hash func- 
tion h; and (g) judging an authenticity of the authentication message M at the receiver side by checking whether the first 
authenticator h(M)-, and the second authenticator h(M) 2 coincide or not. 

[0022] According to another aspect of the present invention there is provided an encryption apparatus, comprising: 

40 an encryption/decryption key generation processing unit for setting N (* 2) prime numbers Pi , p 2 , , Pn 

as a first secret key, and a product p 1 k 1 p 2 k 2 p N k N as a first public key n, where kl , k2, 

, kN are arbitrary positive integers, and determining a second public key e and a second secret key d which satisfy: 

ed ^ 1 (mod L) 

45 

where L is a least common multiple of p^l, p 2 -1, , Pn-1. using the first secret key; and an encryption 

processing unit for obtaining a ciphertext C from a plaintext M according to: 

C « M G (mod n) 

50 

using the first public key n and the second public key e. 

[0023] According to another aspect of the present invention there is provided a decryption apparatus for decrypting a 
ciphertext C obtained from a plaintext M according to: 

55 C s M e (mod n) 

using a first secret key given by N (s 2) prime numbers p 1 , p 2 , , Pn . a * irs * public key n given by a product 

Pt k 1 p 2 k 2 •••••••• p N k N where k1 , k2, , kN are arbitrary positive integers, a second public key e 
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and a second secret key d which satisfy: 

ed - 1 (mod L) 

5 where L is a least common multiple of p r 1 ( pg-1,- Pn'L the apparatus comprising: a calculation process- 
ing unit for obtaining residues M p 1 k , , M p 2 k 2 , M pNkN modulo Pi k1 , p 2 k2 Pn 

respectively, of the plaintext M using a prescribed loop calculation with respect to the first secret key p 1 , p 2 , 
, p N ; and a decryption processing unit for recovering the plaintext M by applying Chinese remainder the- 
orem to the residues M p1k1l M p2k2 , , M p N k N . 

70 [0024] According to another aspect of the present invention there is provided a cipher communication system, com- 
prising: a sender apparatus having: an encryption/decryption key generation processing unit for setting N 2) prime 

numbers Pi , p 2 , , Pn as a f irst secret key, and a product Pi k 1 p 2 k 2 p N k N as a first public 

key n, where kl . k2, , kN are arbitrary positive integers, and determining a second public key e and a sec- 
ond secret key d which satisfy: 

75 

ed - 1 (mod L) 

where L is a least common multiple of p r 1 , p 2 -1 , , p N -1 , using the first secret key; and an encryption 

processing unit for obtaining a ciphertext C from a plaintext M according to: 

20 

C = M e (mod n) 

using the first public key n and the second public key e; and a receiver apparatus having: a calculation processing unit 
for obtaining residues M p 1 k t ,M p2k2 . M pNk N modulo p 1 k 1 . p 2 k 2 Pn k N . respec- 
ts tively, of the plaintext M using a prescribed loop calculation with respect to the first secret key pi , p 2 , 

p N ; and a decryption processing unit for recovering the plaintext M by applying Chinese remainder theorem to the res- 
idues M p -J k 1 . M p 2 k 2 * • M p N k N - 

[0025] According to another aspect of the present invention there is provided an authentication message sender 
apparatus for use in authenticating an authentication message sent from a sender to a receiver, the apparatus compris- 
30 ing: an encryption/decryption key generation processing unit for setting at the sender side a first secret key given by N 

2) prime numbers p 1 , pg , , Pn . a *' r st public key n given by a product Pi k 1 p 2 k 2 Pn k 

N where k1 , k2, , kN are arbitrary positive integers, a second public key e and a second secret key d which 

satisfy: 

35 ed - 1 (mod L) 

where Lis a least common multiple of p r 1, p 2 -1, Pn* 1 ; an authentication message hashing processing 

unit for obtaining at the sender side an authenticator h(M) by hashing the authentication message M using a hash func- 
tion h; and an authenticator encryption processing unit for obtaining at the sender side an encrypted authenticator h(C) 
40 of the authenticator h(M) according to: 

h(M) ^ h(C) 6 (mod n) 

by obtaining residues h(C) p ^ k 1 , h(C) p 2 k 2 , , h(C) p N k N modulo p 1 k 1 , p 2 k 2 , , Pn k N . 

45 respectively, of the encrypted authenticator h(C) using a prescribed loop calculation with respect to the first secret key 

p 1 , p 2 , , p N , and applying Chinese remainder theorem to the residues h(C) p 1 k 1 . n ( c )p 2 k 2 » 

, h(C) p NkN , and then sending the encrypted authenticator h(C) and the authentication message M to 

the receiver. 

[0026] According to another aspect of the present invention there is provided an authentication message receiver 
so apparatus for use in authenticating an authentication message sent from a sender to a receiver, using a first secret key 

given by N (*; 2) prime numbers . p 2 Pn . a first Public key n given by a product Pi k 1 P 2 k 2 

p N kN where kl, k2, ........ , kN are arbitrary positive integers, a second public key e and a second 

secret key d which satisfy: 

55 ed o 1 (mod L) 

where L is a least common multiple of p-,-1, p 2 -1, , p N -1 the apparatus comprising: an authenticator 

decryption processing unit for obtaining a first authenticator h(M)-j by calculating h(C) e (mod n) from an encrypted 



5 



BNSDOCID: <EP 0&46018A2_.L> 



EP0 946 018 A2 



authenticates h(C) received from the sender using the second public key e; an authentication message hashing 
processing unit for obtaining a second authenticator h(M) 2 by hashing an authentication message M received from the 
sender using a hash function h; and an authenticity verification processing unit for judging an authenticity of the authen- 
tication message M at the receiver side by checking whether the first authenticator hfM)., and the second authenticator 
5 h(M) 2 coincide or not. 

[0027] According to another aspect of the present invention there is provided an authentication system for authenti- 
cating an authentication message sent from a sender to a receiver, the system comprising: a sender apparatus having: 
an encryption/decryption key generation processing unit for setting at the sender side a first secret key given by N 2) 

prime numbers , p 2 , Pn • a f irst Public key n given by a product p n k 1 p 2 k 2 p N k N where 

w k1 , k2, , kN are arbitrary positive integers, a second public key e and a second secret key d which satisfy: 

eds 1 (mod L) 

where Lisa least common multiple of p-, - 1 , p 2 - 1 , , Pn* 1 : an authentication message hashing processing 

15 unit for obtaining at the sender side an authenticator h(M) by hashing the authentication message M using a hash func- 
tion h; and an authenticator encryption processing unit for. obtaining at the sender side an encrypted authenticator h(C) 
of the authenticator h(M) according to: 

h(M) = h(C) e (mod n) 

20 

by obtaining residues h(C) p n k 1 , h(C) p 2k2 , h(C) p N k N modulo p n k 1 , p 2 k 2 , , p N k N , 

respectively, of the encrypted authenticator h(C) using a prescribed loop calculation with respect to the first secret key 

p 1 , P2 , Pn . and applying Chinese remainder theorem to the residues h(C) p 1 k 1 ■ n (Qp 2 k 2 ■ 

, h(C) p n k n - anc * f nen sending the encrypted authenticator h(C) and the authentication message M to 

25 the receiver; and a receiver apparatus having: an authenticator decryption processing unit for obtaining a first authen- 
ticator h(M) 1 by calculating h(C) e (mod n) from the encrypted authenticator h(C) received from the sender using the sec- 
ond public key e; an authentication message hashing processing unit for obtaining a second authenticator h(M) 2 by 
hashing the authentication message M received from the sender using the hash function h; and an authenticity verifi- 
cation processing unit for judging an authenticity of the authentication message M by checking whether the first authen- 

30 ticator h(Wi)<\ and the second authenticator h(M) 2 coincide or not. 

[0028] According to another aspect of the present invention there is provided a computer usable medium having com- 
puter readable program code means embodied therein for causing a computer to function as an encryption apparatus, 
the computer readable program code means includes: first computer readable program code means for causing said 
computer to set N (^ 2) prime numbers Pi , p 2 , • , p N as a first secret key. and a product Pi k 1 p 2 k 2 

35 p N k N as a first public key n, where k1 , k2, , kN are arbitrary positive integers, and deter- 
mining a second public key e and a second secret key d which satisfy: 

ed - 1 (mod L) 

40 where L is a least common multiple of p r 1 , p 2 -1 , . Pn* 1 . usin 9 tne first secret key; and second computer 

readable program code means for causing said computer to obtain a ciphertext C from a plaintext M according to: 

C « M e (mod n) 

45 using the first public key n and the second public key e. 

[0029] According to another aspect of the present invention there is provided a computer usable medium having com- 
puter readable program code means embodied therein for causing a computer to function as a decryption apparatus for 
decrypting a ciphertext C obtained from a plaintext M according to: 

so C • M e (mod n) 

using a first secret key given by N (^ 2) prime numbers Pi , p 2 , ,p N ,a first public key n given by a product 

p 1 k 1 p 2 k 2 • • • p N k N where k1 , k2, • • • , kN are arbitrary positive integers, a second public key e 

and a second secret key d which satisfy: 

55 

ed - 1 (mod L) 

where L is a least common multiple of p n -1, p 2 -1, , Pn*1 . the computer readable program code means 
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includes: first computer readable program code means for causing said computer to obtain residues M p ^ k 1 , M p 2 k 2 , 

t M p N k N modulo Pi K 1 . P2 k 2 . Pn k N » respectively, of the plaintext M using a prescribed 

loop calculation with respect to the first secret key pj , p 2 , , p N ; and second computer readable program 

code means for causing said computer to recover the plaintext M by applying Chinese remainder theorem to the resi- 

5 dues Mp i k 1 » Mp 2 k 2 « • M p N k N ■ 

[0030] According to another aspect of the present invention there is provided a computer usable medium having com- 
puter readable program code means embodied therein for causing a computer to function as an authentication mes- 
sage sender apparatus for use in authenticating an authentication message sent from a sender to a receiver, the 
computer readable program code means includes: first computer readable program code means for causing said com- 

io puter to set at the sender side a first secret key given by N (i= 2) prime numbers Pi . P2 » Pn. a first public 

key n given by a product p n k 1 p 2 k 2 Pn k N where k1 , k2, , kN are arbitrary positive integers, 

a second public key e and a second secret key d which satisfy: 

ed = 1 (mod L) 

75 

where L is a least common multiple of p-| -1 , p 2 -1 Pnt 1 ; second computer readable program code means 

for causing said computer to obtain at the sender side an authenticator h(M) by hashing the authentication message M 
using a hash function h; and third computer readable program code means for causing said computer to obtain at the 
sender side an encrypted authenticator h(C) of the authenticator h(M) according to: 

20 

h(M) = h(C) e (mod n) 

by obtaining residues h(C) p , k , , h(C) p 2 k 2 h ( c )p nkn modulo p 1 k 1 , p 2 k 2 , , Pn k N . 

respectively, of the encrypted authenticator h(C) using a prescribed loop calculation with respect to the first secret key 

25 p 1 , P2 , Pn • and applying Chinese remainder theorem to the residues h(C) p 1 ^ 1 , h(C) p 2 k 2 . 

, h(C) p M k n, and then sending the encrypted authenticator h(C) and the authentication message M to the 

receiver. 

[0031 ] According to another aspect of the present invention there is provided a computer usable medium having com- 
puter readable program code means embodied therein for causing a computer to function as an authentication mes- 
30 sage receiver apparatus for use in authenticating an authentication message sent from a sender to a receiver, using a 

first secret key given by N (* 2) prime numbers p 1 , p 2 , Pn . a f > r st Public key n given by a product p 1 k 

1 p 2 k 2 Pn k n W h ere k1, k2, , kN are arbitrary positive integers, a second public key e and 

■ a second secret key d which satisfy: 

35 ed s 1 (mod L) 

where L is a least common multiple of p r 1, p 2 -1, , Pm-1. the computer readable program code means 

includes: first computer readable program code means for causing said computer to obtain a first authenticator h(M) 1 
by calculating h(C) e (mod n) from an encrypted authenticator h(C) received from the sender using the second public 

40 key e; second computer readable program code means for causing said computer to obtain a second authenticator 
h(M) 2 by hashing an authentication message M received from the sender using a hash function h; and third computer 
readable program code means for causing said computer to judge an authenticity of the authentication message M at 
the receiver side by checking whether the first authenticator h(M)-| and the second authenticator h(M) 2 coincide or not. 
[0032] Other features and advantages of the present invention will become apparent from the following description 

45 taken in conjunction with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0033] 

50 

Fig. 1 is a block diagram of a cipher communication system according to one embodiment of the present invention. 
Fig. 2 is a flow chart for an encryption processing of an encryption apparatus in the cipher communication system 
of Fig. 1. 

Fig. 3 is a flow chart for a decryption processing of a decryption apparatus in the cipher communication system of 
55 Fig. 1 . 

Fig. 4 is a block diagram of an authentication system according to one embodiment of the present invention. 
Fig. 5 is a flow chart for an authentication processing in the authentication system of Fig. 4. 



7 



BNSDOClD: <EP_ 0946018A2J_> 



EP0 946 018 A2 



DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

[0034] Referring now to Fig. 1 to Fig. 4, one embodiment of the scheme for encryption, decryption and authentication 
according to the present invention will be described in detail. 
5 [0035] Note that the encryption/decryption scheme of the present invention is realizable using n = p 1 k 1 P2 k 2 

p N k N in general, as will be described below, but the more practical exemplary case of using n = p-, k 1 P2 

will be described first. In the following, an expression "p k q" corresponds to a special case of the general expression p 1 

k1 p 2 k2 p N kN (where p n , p 2 , p N are (£ 2) prime numbers) with N = 2, p n =p, p 2 =q, 

k1 = k and k2 = 1. 

to [0036] Fig. 1 shows an overall configuration of a cipher communication system according to one embodiment of the 
present invention. 

[0037] The cipher communication system of Fig. 1 generally comprises an encryption apparatus 10 and a decryption 
apparatus 19 which are connected through a communication path 14. The encryption apparatus 10 has an encryption 
processing unit 1 3 for obtaining a ciphertext C from a plaintext M given as its input, and transmitting the obtained cipher- 
75 text C to the decryption apparatus 19 through the communication path 14. The decryption apparatus 19 has a decryp- 
tion processing unit 15 for recovering the plaintext M from the ciphertext C transmitted by the encryption processing unit 
13, and outputting the obtained plaintext M as its output. This decryption processing unit 15 includes a loop calculation 
processing unit 17. 

[0038] In addition, the encryption apparatus 10 also has an encryption/decryption key generation processing unit 1 1 
20 connected with both the encryption processing unit 1 3 and the decryption processing unit 1 5, for supplying the first pub- 
lic key n and the second public key e to the encryption processing unit 13 while supplying the first secret key p, q, the 
second secret key d, an arbitrary positive integer k, the first public key n and the second public key e to the decryption 
processing unit 15. 

[0039] Next, the operation of the encryption apparatus 10 will be described in detail with reference to Fig. 2. 
25 [0040] First, the encryption/decryption keys are generated at the encryption/decryption key generation processing 
unit 11 as follows (step S101). 

[0041] Here, the first secret key is to be given by two rational prime numbers p and q, and the first public key is to be 
given by their product, i.e.. n = p k q . Also, using the function Icm for obtaining the least common multiple. L given by: 

30 L = Icm (p-1, q-1) 

is obtained from the first secret key p and q. 
[0042] Next, e and d that satisfies: 

35 ed = 1 (mod L) 

are obtained. Then, the residues d p and d q of the obtained d modulo (p-1) and (q-1) respectively are obtained as: 

dp := d (mod p-1), 

40 

d q := d (mod q-1), 

where a symbol ":=" denotes the operation to calculate the right hand side and substitute it into the left hand side, and 
a set of three numbers d, dp and dq is set as the second secret key, while e is set as the second public key. In this way, 
45 the first public key n, the second public key e, the first secret key p, q, and the second secret key d, d p and d q are set up. 
[0043] Then, the ciphertext C is obtained at the encryption processing unit 13 as follows (step S102). 
[0044] The encryption processing unit 1 3 encrypts the plaintext M by using the first public key n and the second public 
key e, according to the formula: 

so C » M e (mod n) 

and transmits the obtained ciphertext C to the receiving side. 

[0045] Next, the operation of the decryption apparatus 19 will be described in detail with reference to Fig. 3. 
[0046] The decryption processing unit 15 obtains the plaintext M as an output from the ciphertext C entered from the 
55 encryption processing unit 13 through the communication path, the first secret key p, q, the second secret key d, the 
second public key e and the arbitrary positive integer k which are entered from the encryption/decryption key generation 
processing unit 1 1, by carrying out the following substitution calculation processing, where a symbol ":=" denotes the 
operation to calculate the right hand side and substitute it into the left hand side. 
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[0047] (Step S201) The values d p and d q of the second secret key d modulo p-1 and q-1 respectively are obtained as 
follows. 

d p := d (mod p-1), 
d q :=d(mod q-1). 

Note that there is no need to calculate these d (mod p-1) and d (mod q-1 ) at every occasion of the encryption/decryption 
and it suffices to produce them once in advance as the secret key. In such a case, d will be necessary only at the inter- 
im mediate stage for producing these d (mod p-1) and d (mod q-1). 

[0048] (Step S202) The residues K 0 , M q of the plaintext M modulo p and q respectively are obtained from the cipher- 
text C as follows. 



75 



K 0 :=C dp 

dq 



M q >C 



(mod p), 
(mod q). 



[0049] (Step S203) The residue M p k of the plaintext M modulo p k is obtained by carrying out the following loop cal- 
culation according to the fast decryption algorithm disclosed in T Takagi, "Fast RSA-type cryptosystem using n-adic 
20 expansion", Advances in Cryptology - CRYPTO'97, LNCS 1294, pp. 372-384 and in U.S. Patent Application Serial No. 
08/907,852 of the present inventors, at the loop calculation processing unit 17. 



25 



30 



35 



Ao 




Ko ; 


FOR 


i 


= 1 to (k-1) do 


begin 




F 






(Ai - 1 e ) (mod p' * 1 ) ; 


E 






(C - Fi ) (mod p 1 * 1 ) ; 


B 






Ei /p' In Z: 


K 






( (eFi )- ' Ai - ) Bi ) (mod 


A 






A; - i + p 1 K; in Z; 


end 






Mp k 




= Ak - i . 



40 



45 



50 



55 



[0050] (Step S204) The residue of the plaintext M with respect to a composite number n is obtained by applying the 

Chinese remainder theorem to the residues M p k and M q , so as to complete the decryption. 

[0051] More specifically, the Chinese remainder theorem can be applied by the following calculation. 

qi :=q" 1 (modp k ); 

V1 :=((M pk -M q ) qi )(modp k ); 

M ^(Mq + qvT ). 

Alternatively, the Chinese remainder theorem can also be applied by the following calculation. 

P, :=(P K )" 1 (modq); 
Vl >((M q -M pk )p 1 )(modq); 
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Alternatively, the Chinese remainder theorem can also be applied by the following calculation. 

Pl ^(pY 1 (modq); 

5 q n ^q* 1 (modp k ); 

M:= (q, qM pk + Pl p k M q ) (mod p k q). 

[0052] Next, the functions of the respective processing units in the cipher communication system of Fig. 1 will be 

io described along their processing procedure. 

[0053] First, as the first stage, at the encryption/decryption key generation processing unit 11, two prime numbers p 
and q to be the first secret key are generated, and the product n = p k q of these two prime numbers p and q is obtained 
as the f irst public key. Here, k is an arbitrary integer to be selected by accounting for the security level and the process- 
ing speed. Also, as can be seen from the formula n = p k q for the first public key n, the sizes of p and q can be made 

75 smaller when k is larger for a constant size (the number of digits, for example) of n, and the prime factoring becomes 
as much easier (that is, it becomes easier to learn the values of p and q) so that the security level of this cryptosystem 
becomes lower. 

[0054] Next, the least common multiple L is calculated from these two prime numbers p and q, and the second pubic 
key e and the second secret key d are generated according to ed = 1 (mod L) . This calculation of the least common 
20 multiple L can be done by first obtaining the greatest common divisor using the extended Euclidean division algorithm 
and then multiplying the remaining factors to obtain the least common multiple. 

[0055] Note that the pair of e and d at this point is uniquely determined from ed *= 1 (mod L) . Although it can be any 
pair that satisfies this condition in principle, usually the second public key e is set to be a smaller value in order to make 
the encryption faster. For this reason, the second secret key d becomes a considerably large number so that the 
25 decryption processing becomes slow when the conventional scheme is adopted. Note that the second public key e and 
the second secret key d are in relationship of inverse numbers modulo L, so that the second secret key d can be 
obtained if the second public key e and the least common multiple L are known. 

[0056] Next, as the second stage, at the encryption processing unit 13, the encryption is carried out according to the 
formula: 

30 

C - M e (mod n) 

using the second public key e of the receiving side, and the ciphertext C is transmitted to the receiving side. 
[0057] Then, as the third stage, at the decryption processing unit 15, M p k - M (mod p k ) and M q = C dq (mod q) 
35 are obtained using the aforementioned fast decryption algorithm, and the Chinese remainder theorem is applied to 
these two numbers. According to the Chinese remainder theorem, when the residues of an unknown number for plural 
moduli are known, the unknown number (solution) modulo a product of these plural moduli can be obtained uniquely so 
that M can be recovered. 

[0058] Now, concrete examples of the encryption according to this embodiment will be described. 
40 [0059] First, the exemplary case of k = 2 can be summarized as follows. 

Public key e = 5 

Public key n = 40270132689707 

Secret key d = 234982541 
45 Secret key p = 34273 

Secret key q - 34283 

Plaintext M = 1 234567890 

Ciphertext C * 10229049760163 

A 0 = K 0 = 20157 
so M q = 2777 

K n = 1748 

M P = A p + pK t = 59929361 
Plaintext M = 1234567890 

55 [0060] In this case, the value of each one of the first secret key p and q is about n 1 ' < k + 1 > , and the least common 
multiple L is about n 2 ' < k + 1) which is smaller than the RSA cryptosystem so that it can contribute to the realization of 
the faster encryption/decryption. 

[0061] More specifically, the calculation time for C d mod n is 0((log n) 2 (log d)) while the calculation time for C d mod p 
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and C d mod q is 0(1 /3 log n) 2 (2/3 log n). Thus the overall processing time is 0. 1 48 times that of the RSA cryptosystem, 
and it is a little over three times faster than the Ouisquater-Couvreur scheme that utilizes the Chinese remainder theo- 
rem (which has the calculation time of 0(1/2 log n) 2 (1 log n)). 
[0062] Next, the exemplary case of k = 3 can be summarized as follows. 

Public key e = 5 

Public key n = 627252701350243 

Secret key d = 7515005 

Secret key p = 5003 
io Secret key q = 5009 

•Plaintext M = 123456789012345 

Ciphertext C = 287551735059915 

A 0 = K 0p :*1732 

*M q = 3412 
is K 1 p = 4821 

A 1 = 24121195 

K 2p = 4395 

M p 2 = A 2 = A 1 + p 2 K 2 = 110031010750 
Plaintext M = 123456789012345 

20 

[0063] It should be apparent that the encryption/decryption scheme described above is also applicable to the case of 
using three prime numbers p-, = p, p 2 = q and p 3 = r as the first secret key and a product p k q* r m where k = k1 , I = k2 
and m = k3 as the first public key n. 

[0064] In this case, the decryption can be realized by first obtaining K 0 P , K 0 q and K 0 r modulo p, q and r, respectively, 
25 by integer modular exponent calculations of: 

K 0 p :=C dp (modp); 
K 0 q :=C dq (modq); 

30 

K 0 r :=C dr (modr); 

where: 

35 dp := d (mod p-1); 

dq :=d (modq-1); 
dr := d (mod M); 

next obtaining the residues M p k , M q * and M r m modulo p k . q* and r m , respectively, by applying the loop calculation to 
K 0 p , K 0 q and K 0 r , respectively, and then applying the Chinese remainder theorem to the residues M p k , M q i and M r 

[0065] It should also be apparent that the encryption/decryption scheme described above can be generalized to the 

case of using N (s 2) prime numbers p-j , p 2 , , p N as a first secret key, and a product p 1 k 1 p 2 k 2 

p N k N as a first public key n, where k1 , k2, , kN are arbitrary positive integers, a second 

public key e and a second secret key d which satisfy: 

ed = 1 (mod L) 

so 

where L is a least common multiple of p r 1, p 2 -1, Pn*1- 

[0066] In this general case, a ciphertext C can be obtained from a plaintext M according to: 

C » M G (mod n) 

55 

using the first public key n and the second public key e defined above. 

[0067] Also in this case, the decryption can be realized by first obtaining residues M p 1 k A , M p 2 k 2 

Mp n k n modulo Pi k 1 , P2 k 2 Pn k N . respectively, of the plaintext M using the loop calculation of the 
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aforementioned fast decryption algorithm with respect to the first secret key p 1 , p 2 , , Pn , and then apply- 
ing the Chinese remainder theorem to the residues M p 1 k 1 , M p 2 k 2 » M p N k N , 

[0068] Next, Fig. 4 shows an overall configuration of an authentication system according to one embodiment of the 
present invention. 

5 [0069] The authentication system of Fig. 4 generally comprises a sender apparatus 20 and a receiver apparatus 33 
which are connected through a communication path 26. The sender apparatus 20 has an authentication message 
hashing processing unit 23 for outputting an authenticator h(M) by applying a hashing processing on an input authenti- 
cation message (plaintext) M, and an authenticator encryption processing unit 25 for encrypting the authenticator h(M) 
outputted from the authentication message hashing processing unit 23 and transmitting the obtained encrypted authen- 

10 ticator h(C) through a communication path 26. 

[0070] The receiver apparatus 33 has an authenticator decryption processing unit 27 for obtaining a first authenticator 
h(M)-| from the encrypted authenticator h(C) and an authentication message hashing processing unit 29 for obtaining a 
second authenticator h(M) 2 from the authentication message M. both of which are connected to the authentication 
encryption processing unit 25 through the communication path 26, and an authenticity verification processing unit 31 

75 for verifying an authenticity of the authentication message M, which is connected with the authenticator decryption 
processing unit 27 and the authentication message hashing processing unit 29. 

[0071] In addition, the sender apparatus 20 also has an authentication encryption/decryption Key generation process- 
ing unit 21 for outputting authentication encryption/decryption keys to the authenticator encryption processing unit 25 
and the authenticator decryption processing unit 27 respectively. 
20 [0072] This authentication system of Fig. 4 realizes the authentication scheme in which a person who wishes to have 
the own authentication message authenticated will send to the receiving side an authenticator generated by encrypting 
the authentication message by using the own secret key. 

[0073] Now, the operations of the respective processing units in the authentication system of Fig. 4 will be described 
along their processing procedure with reference to Fig. 5. 

25 [0074] First, as the first stage (step S301 ), at the authentication encryption/decryption key generation processing unit 
21 , two prime numbers p and q to be the first secret key are generated, and the product n = p K q of these two prime 
numbers p and q is obtained as the first public key. Here, k is an arbitrary integer to be selected by accounting for the 
security level and the processing speed. Also, as can be seen from the formula n = p k q for the first public key n, the 
sizes of p and q can be made smaller when k is larger for a constant size (the number of digits, for example) of n, and 

30 the prime factoring becomes as much easier (that is, it becomes easier to learn the values of p and q) so that the secu- 
rity level of this cryptosystem becomes lower Then, the least common multiple L is calculated from these two prime 
numbers p and q, and the second pubic key e and the second secret key d are generated according to ed ^ 1 (mod L) . 
[0075] Next, as the second stage (step S302), at the authentication message hashing processing unit 23, the plaintext 
authentication message M is hashed by using the hash function h to obtain the authenticator h(M), where it is assumed 

35 that 0 ^ h(M) < n. Here, the hash function is used in order to shorten the message length. For example, the hashing 
processing extracts several characters from the top of the message. Also, a certain level of the scrambling function is 
to be provided. Note that the same hash function is to be used at the sending side and the receiving side. 
[0076] Next, as the third stage (step S303), at the authenticator encryption processing unit 25, the encrypted authen- 
ticator h(C) is calculated by the technique of the aforementioned fast decryption algorithm, using the first public key n 

40 and the second secret key d of the sending side. Note that in the authentication, the decryption processing and the 
encryption processing become completely reversed from the case of the encryption/decryption scheme described 
above, so that the calculation of the encrypted authenticator h(C) can be processed quickly by using the Chinese 
remainder theorem. 

[0077] After this calculation processing, the set of the encrypted authenticator h(C) and the authentication message 
45 M is transmitted to the receiving side through the communication path. 

[0078] Next, as the fourth stage (step S304), at the authenticator decryption processing unit 27, the receiving side 
decrypts the encrypted authenticator h(C) by calculating: 

h(M) 1 = h(C) e (mod n) 

so 

using the second public key e of the sending side, so as to obtain the first authenticator h(M)-j . 
[0079] Next, as the fifth stage (step S305), at the authentication message hashing processing unit 29, the receiving 
side hashes the authentication message M by using the hash function h so as to obtain the second authenticator h(M) 2 . 
[0080] Then, as the sixth stage (step S306), at the authenticity verification processing unit 31, the authenticity of the 
55 authentication message is judged according to whether the first authenticator h(M)! and the second authenticator h(M) 2 
coincide with each other or not, and an output indicating either coincide (Yes) or not coincide (No) is outputted. 
[0081] More specifically, the authentication scheme according to the present invention can be realized as follows. 
[0082] In the most general case, the sender side sets a first secret key given by N (s 2) prime numbers Pi , p 2 , 
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, p N , a first public key n given by a product p 1 k 1 p 2 k 2 p N k N where k1 , k2, 

( kN are arbitrary positive integers, a second public key e and a second secret key d which satisfy: 

ed « 1 (mod L) 

c 

where L is a least common multiple of p r 1, p 2 -1, Pn" 1 ■ 

[0083] Then, the sender side obtains an authenticator h(M) by hashing the authentication message M using a hash 
function h, while obtaining an encrypted authenticator h(C) of the authenticator h(M) according to: 

70 h(M) - h(C) e (mod n) 

by obtaining residues h(C) p , h(C) p 2 k 2 > h(C) p N k N modulo Pi k 1 , P 2 k 2 . Pn k N . 

respectively, of the encrypted authenticator h(C) using the loop calculation of the aforementioned fast decryption algo- 
rithm with respect to the first secret key p^ , p 2 , , p N , and applying the Chinese remainder theorem to 

75 the residues h(C) p , k -| , h(C) p 2k2 , , h(C) p N k N . 

[0084] Then, the encrypted authenticator h(C) and the authentication message M are sent from the sender to the 
receiver. 

[0085] Next, the receiver side obtains a first authenticator h(M)-, by calculating h(C) e (mod n) from the encrypted 
authenticator h(C) received from the sender using the second public key e, while obtaining a second authenticator 
20 h(M) 2 by hashing the authentication message M received from the sender using the hash function h. 

[0086] Then, an authenticity of the authentication message M is judged at the receiver side by checking whether the 
first authenticator h(M)-, and the second authenticator h(M) 2 coincide or not. 

[0087] It should be apparent from the above that, in the specific case where the encrypted authenticator h(C) is 
obtained using the first secret key given by three prime numbers p^ = p, p 2 = q and p 3 = r and the first public key n 
25 given by a product p k q* r m where k = k1 , / » k2 and m = k3 , the sender obtains the encrypted authenticator h(C) by 
first obtaining h(K) 0 p , h(K) 0 * and h(K) 0 r modulo p, q and r, respectively, by integer modular exponent calculations of: 

h(K) 0 p :« h(M) dp (modp); 

30 h(H) 0 q :=h(M) dq (modq); 

h(K) 0 r :=h(M) dr (modr); 

where: 

35 

dp := d (modp-1); 
dq := d (modq-1); 

40 dr := d (mod r-1); 

next obtaining the residues h(C) p k , h(C) q ^ and h(C) r m modulo p k , q € and r m , respectively, by applying the loop calcu- 
lation to h(K)0 p , h(K) 0 q and h(K) 0 r , respectively, and then applying the Chinese remainder theorem to the residues 
h(C) pk ,h(C) qf and h(C) rm . 

45 [0088] It should also be apparent from the above that, in the specific case where the encrypted authenticator h(C) is 
obtained using the first secret key given by two prime numbers Pi = p and p 2 = q and the first public key n given by a 
product p k q where k = k1 , the sender obtains the encrypted authenticator h(C) by first obtaining a residue h(K) 0 modulo 
p and a residue h(C) q modulo q of the encrypted authenticator h(C), by integer modular exponent calculations of: 

so h(K) 0 :=h(M) dp (modp); 

h(C) q := h(M) dq (modq); 

where: 

55 

dp := d (modp-1); 
dq := d (modq-1); 
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next obtaining a residue h(C) p k modulo p k of the encrypted authenticator h(C) by applying the loop calculation to h(K) 01 
and then applying the Chinese remainder theorem to the residues h(C) p k and h(C) q . 
[0089] In this case, the loop calculation can be carried out as follows. 



5 


h( A)a 


:= h(K)o ; 




FOR i = 


= 1 to (k-1) do 




begin 




10 


h(F}i 


: = (h(A) i - i e ) (mod p 1 4 1 ) ; 




h(E), 


:« (h(M) - h(F); ) (mod p 1 * 1 ) ; 




h(B)i 


:= h(E); /p ! in Z; 


15 


h(K); • 


.= ( (eh(F)i )- 1 h(A)i - i h(B). ) (rood 




h(A)i 


■ = h(A) i - i + p ; h(K) i In Z; 




end 




SO 


h(C) Pk 


: = h(A)n - i . 



[0090] Also in this case, the Chinese remainder theorem can be applied by the following calculation. 
25 q., :=q" 1 (mod p k ); 

v 1 :=((h(C) pk -h(C) q ) qi )(modp k ); 
h(C):=(h(C) q + q Vl )- 

30 

Alternatively, the Chinese remainder theorem can also be applied by the following calculation. 

Pl ^(p'r'fmodq); 
35 Vl :={(h(C) q -h(C) pk ) Pl )(modq); 

h(C) := (h(C) pk + p k Vl ). 
Alternatively, the Chinese remainder theorem can also be applied by the following calculation. 

40 

Pl >(pY 1 (modq); 
q 1 rsq" 1 (modp k ); 

45 h(C) := (q , qh(C) p k + p , p K h(C) q ) (mod p k q). 

[0091] Note that, in the above described embodiment, each of the prime numbers has a size of about n 1 /(k + ^ which 
is sufficient to prevent the number field sieve method and the elliptic curve method that are the fastest prime factoring 
algorithms currently known. Also, the second public key e can be set small so that the second secret key d has about 

so the same size as the least common multiple L. Here, the least common multiple L has a size of n 2/ < k+ 1 > which is smaller 
than that of the RSA cryptosystem so that it can contribute to the realization of the faster encryption/decryption. 
[0092] Also, in the above described embodiment, the case of k = 3 uses the composite number n = p 3 q as the mod- 
ulus, so that the size of each of p and q becomes 1/4 of the size of n. The decryption processing modulo p 3 requires 
about the same amount of calculations as the processing modulo p. so that the processing modulo p 3 and the process- 

55 ing modulo q can be made 64 times faster. Thus the overall processing can be made 32 times faster, which is consid- 
erably faster even in comparison with the conventional Quisquater-Couvreur scheme that can realize four times faster 
decryption processing than the original RSA cryptosystem. 

[0093] As described, the cryptosystem according to the present invention uses N 2) prime numbers Pi , p 2 , 
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, p N as the first secret key and their product p 1 k 1 p 2 k 2 p N k N as the first public key n, so 

that it has the same security level as the conventionally known RSA cryptosystem on rational integer ring, while it is 
capable of realizing the faster encryption and decryption processing. In addition, it can be utilized for the authentication 
as well, and it is also capable of realizing the faster authenticator generation and authenticity verification. 
[0094] Moreover, the cryptosystem according to the present invention uses the second public key e as an encryption 
key and the second secret key d as a decryption key which satisfy: 

ed - 1 (mod L) 

where L is a least common multiple of p r 1, p 2 -1, • . Pn-L so that the size of the decryption key d can be 

made about the same as the size of L 

[0095] In contrast, in the case of the RSA cryptosystem for example, if Pi k 1 p 2 k 2 p N k N is to be used 
as the first public key n where Pi . p 2 , , pN are N 2) prime numbers, it is required to generate the 
encryption key e and the decryption key d which satisfy: 

ed « 1 (mod <|>(n)) 

where 

<Kn) = n(1-1/ Pl )(1-1/P 2 ) ' • • • 0-1'Pfsi) 

is the Euler function, so that the size of the decryption key d becomes the same as the size of 4>(n) which is considerably 
larger than the size of L. 

[0096] It is to be noted that the above described embodiment according to the present invention may be conveniently 
implemented in forms of software programs for realizing the operations of the cipher communication system of Fig. 1 or 
the authentication system of Fig. 4. as will be apparent to those skilled in the computer art. Appropriate software coding 
can readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent 
to those skilled in the software art. 

[0097] In particular, each of the encryption apparatus and the decryption apparatus of Fig. 1 and the sender appara- 
tus and the receiver apparatus of Fig. 4 as described above can be conveniently implemented in a form of a software 
package. 

[0098] Such a software package can be provided in a form of a computer program product which employs a storage 
medium including stored computer code which is used to program a computer to perform the disclosed function and 
process of the present invention. The storage medium may include, but is not limited to, any type of conventional floppy 
disks, optical disks, CD-ROMs, magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, 
or any other suitable media for storing electronic instructions. 

[0099] It is also to be noted that, besides those already mentioned above, many modifications and variations of the 
above embodiments may be made without departing from the novel and advantageous features of the present inven- 
tion. Accordingly, all such modifications and variations are intended to be included within the scope of the appended 
claims. 

Claims 

1. An encryption method, comprising the steps of: 

setting N (* 2) prime numbers Pi , p 2 , , Pn as a first secret key, and a product Pi k 1 p 2 k 2 

p N k N as a first public key n, where k1, k2, , kN are arbitrary positive integers; 

determining a second public key e and a second secret key d which satisfy: 

ed - 1 (mod L) 

where L is a least common multiple of p r 1 , p 2 -1 , » P N -1 . using the first secret key: and 

obtaining a ciphertext C from a plaintext M according to: 

C - M e (mod n) 

using the first public key n and the second public key e. 
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2. The method of claim 1 , wherein the setting step sets three prime numbers p 1 = p, p 2 = q and p 3 = r as the first 
secret key and a product p k q* r m where k = k1 , / = k2 and m = k3 as the first public key n. 

3. The method of claim 1 , wherein the setting step sets two prime numbers p-| = p and p 2 = q as the first secret key 
s and a product p k q where k = k1 as the first public key n. 

4. The method of claim 3, wherein the determining step also determines: 

d p := d (mod p-1), and 

70 

d p := d (mod q-1), 

as the second secret key such that the second secret key is given by a set of d, d p and d q . 
75 5. A decryption method for decrypting a ciphertext C obtained from a plaintext M according to: 

C = M e (mod n) 

using a first secret key given by N 2) prime numbers p-i , P2 Pn . a f ' rst public key n given by a 

so product Pt k 1 p 2 k 2 p N k N where k1, k2, , kN are arbitrary positive integers, a second 

public key e and a second secret key d which satisfy: 

ed - 1 (mod L) 

25 where L is a least common multiple of pyl , p 2 -1 , , Pn*1 . the method comprising the steps of: 

obtaining residues M p 1 k A . M p 2 k 2 -M pNkN modulo p n k 1 , p 2 k 2 Pn k N ■ 

respectively, of the plaintext M using a prescribed loop calculation with respect to the first secret key p! , p 2 , 
, p N ; and 

30 recovering the plaintext M by applying Chinese remainder theorem to the residues M p 1 k ^ , M p 2 k 2 . 
M p N k n ■ 

6. The method of claim 5, wherein the ciphertext C is obtained using the first secret key given by three prime numbers 
Pi =p. p 2 = P and p 3 e r and the first public key n given by a product p k q* r m where k = k1, / = k2 and m = k3 ; 

35 

the obtaining step obtains K 0 p , K 0 and K 0 r modulo p ( q and r, respectively, by integer modular exponent cal- 
culations of: 

K 0 p :=C dp (modp); 

40 

K 0 q :=C dq (mod q); and 
K 0 r :=C dr (modr); 

45 where: 

dp := d (mod p-1); 
dq := d (mod q-1); and 

50 

dr := d (mod r-1); 

and then obtaining the residues M p k , M q £ and M r m modulo p k , q^ and r m , respectively, by applying the pre- 
scribed loop calculation to K 0 p . K 0 ^ and K 0 r , respectively; and 
55 the recovering step applies the Chinese remainder theorem to the residues M p k , M q t and M r m . 

7. The method of claim 5, wherein the ciphertext C is obtained using the first secret key given by two prime numbers 
p 1 = p and p 2 = q and the first public key n given by a product p k q where k = k1 ; 
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io 



15 



20 



25 



30 



35 



AO 



the obtaining step obtains a residue K 0 modulo p and a residue M q modulo q of the plaintext M, by integer mod- 
ular exponent calculations of: 



K 0 :=C dp (mod p); and 



where: 



M q ;=C dp (mod q); 



dp := d (mod p-1); and 
dq := d (mod q-1); 

and obtains a residue M p k modulo p k of the plaintext M by applying the prescribed loop calculation to K 0 ; and 
the recovering steps applies the Chinese remainder theorem to the residues M pk and M q . 

8. The method of claim 7, wherein the prescribed loop calculation is carried out by: 

(a) setting A 0 := K 0 ; 

(b) for i = 1 to (k-1), repeatedly calculating: 



F; 
Ei 
B; 
K; 
Ai 



= (A. - i * ) (mod p j * 1 ) ; 

= (C - F; ) (mod p' + 1 ) ; 

= Ei /p 1 in Z; 

= ( (eFi )- 1 A; - 1 Bi ) (mod p) ; 

= A; - i + P ; Ki in Z ; and 



10. 



45 



50 11 



55 



12. 



(c) setting M pk := 

The method of claim 7, wherein the recovering step recovers the plaintext M by calculating: 

q 1 :=q" 1 (modp k) ; 
v-, :=((M pk -M q ) qi )(modp k );and 
M ^(Mq + qv! ). 

The method of claim 7, wherein the recovering step recovers the plaintext M by calculating: 

Pi := (PV (modq); 
v .j := ((M q -M pk )p 1 ) (mod q); and 
M:= (M pk + p k Vl ). 

The method of claim 7, wherein the recovering step recovers the plaintext M by calculating: 

Pi *= (P K )" 1 (modq); 
q n :=q" 1 (mod p k ); and 
M:« ( qi qM pk + Pl p k M q ) (modp k q). 
An authentication method for authenticating an authentication message sent from a sender to a receiver, compris- 
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ing the steps of: 

(a) setting at the sender side a first secret key given by N (s 2) prime numbers p 1 , p 2 , * • • * * • • • , Pn . a 

first public key n given by a product Pi k 1 P2 k 2 Pn k N where k1, k2, , kN are arbi- 

5 trary positive integers, a second public key e and a second secret key d which satisfy: 

ed - 1 (mod L) 

where L is a least common multiple of pj-1 , P2-I Pi\r 1 : 

10 (b) obtaining at the sender side an authenticator h(M) by hashing the authentication message M using a hash 

function h; 

(c) obtaining at the sender side an encrypted authenticator h(C) of the authenticator h(M) according to: 



15 



h(M) - h(C) e (mod n) 

by obtaining residues h(C) p i k <[ , h(C) p 2 k 2 . - h ( c )p n k n modulo p 1 k 1 . p 2 k 2 



p N k N , respectively, of the encrypted authenticator h(C) using a prescribed loop calculation with respect to the 
first secret key Pi , P2 Pn » ancl applying Chinese remainder theorem to the residues h(C) p ^ k 

1 . n ( C )p 2 k 2 . n ( C )p NkN : 

20 (d) sending the encrypted authenticator h(C) and the authentication message M from the sender to the 

receiver; 

(e) obtaining at the receiver side a first authenticator h(M) 1 by calculating h(C) e (mod n) from the encrypted 
authenticator h(C) received from the sender using the second public key e; 

(f) obtaining at the receiver side a second authenticator h(M) 2 by hashing the authentication message M 
25 received from the sender using the hash function h; and 

(g) judging an authenticity of the authentication message M at the receiver side by checking whether the first 
authenticator h(M) 1 and the second authenticator h(M) 2 coincide or not. 

13. The method of claim 12, wherein the encrypted authenticator h(C) is obtained using the first secret key given by 
30 three prime numbers = p. p 2 = q and p 3 = r and the first public key n given by a product p k q* r m where k = k1 , 

/ = k2 and m = k3 ; 

the step (c) obtains h(K) 0 p , h(K) 0 ^ and h(K) 0 r modulo p, q and r ( respectively, by integer modular exponent 
calculations of: 

35 

h(K) 0 p :=h(M) dp (modp); 
h(K) 0 q :« h(M) dq (mod q); and 
40 h(K) 0 r :=h(M) dr (modr); 

where: 

dp := d (mod p-1); 

45 

dq := d (modq-1); and 
dr := d (mod r-1); 

50 and then obtaining the residues h(C) p k , h(C) q t and h(C) r m modulo p k , q £ and r m , respectively, by applying 

the prescribed loop calculation to h(K) 0 P h(K) 0 * and h(K) 0 r , respectively, and applies the Chinese remainder 
theorem to the residues h(C) p k , h(C) q ^ and h(C) r m . 

14. The method of claim 12, wherein the encrypted authenticator h(C) is obtained using the first secret key given by 
55 two prime numbers Pi - p and p 2 = q and the first public key n given by a product p k q where k = k1 ; 

the step (c) obtains a residue h(K) 0 modulo p and a residue h(C) q modulo q of the encrypted authenticator 
h(C), by integer modular exponent calculations of: 
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h(K) c :=h(M) dp (mod p);and 



h(C) c 



;h(M) dq (mod q); 



where: 



10 



is 



dp :=d (mod p-1); and 
dq := d (mod q-1); 

and obtains a residue h(C) pk modulo p k of the encrypted authenticator h(C) by applying the prescribed loop 
calculation to h(K) 0 , and applies the Chinese remainder theorem to the residues h(C) p k and h(C) q . 

15. The method of claim 14, wherein the prescribed loop calculation is carried out by: 

(a) setting h(A) 0 := h(K) 0 ; 

(b) for i = 1 to (k-1), repeatedly calculating: 



25 



h(F), 


.= (h(A)i-! 


« ) (mod p j * 1 ) ; 


ME); . 


:= (h(M) - 


h(F) i ) (mod p 1 * 5 ) ; 


h(B); . 


* h(E); /p J 


in Z; 


h(K)i : 


= {(eh(F); 


)- ' h(A) i - , h(B> ; ) (mod p) ; 


h(A)i : 


= h ( A ) i - j 


+ p ! h(K) . in Z ; and 



30 



35 



40 



(c) setting h(C) pk := h(A) k .-,. 

16. The method of claim 14, wherein the step (c) applies the Chinese remainder theorem by calculating: 

q 1 :=q' 1 (modp k ); 

v -j := ((h(C) p k - h(C) q )q , ) (mod p h ); and 
h(C) :« (h(C) q + q Vl ). 

17. The method of claim 14, wherein the step (c) applies the Chinese remainder theorem by calculating: 

Pi :=(p k )' 1 (modq): 

v ! := ((h(C) q - h(C) p k )p 1 ) (mod q); and 
h(C) :=(h(C) pk + p k Vl ). 

18. The method of claim 14, wherein the step (c) applies the Chinese remainder theorem by calculating: 

Pi :-(p k )' 1 (modq); 

q 1 := q" 1 (mod p k ); and 

h(C) > (q , qh(C) pk + Pl p k h(C) q ) (mod p k q). 

es 19. An encryption apparatus, comprising: 

an encryption/decryption key generation processing unit for setting N (^ 2) prime numbers p-, , p 2 , 
, p N as a first secret key, and a product p n k 1 p 2 k 2 p N k N as a first public key n, 



45 



50 
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where k1, k2, , kN are arbitrary positive integers, and determining a second public key e and a 

second secret key d which satisfy: 

ed ^ 1 (mod L) 

where L is a least common multiple of -1 , p 2 -1 , , Pn* 1 . using the first secret key; and 

an encryption processing unit for obtaining a ciphertext C from a plaintext M according to: 

C - M e (mod n) 

using the first public key n and the second public key e. 

20. A decryption apparatus for decrypting a ciphertext C obtained from a plaintext M according to: 

15 C - M e (mod n) 

using a first secret key given by N (^ 2) prime numbers p-j , p 2 , t p N , a first public key n given by a 

product Pi k 1 P2 k 2 Pn k N where k1 , k2 t , kN are arbitrary positive integers, a second 

public key e and a second secret key d which satisfy: 

20 

ed - 1 (mod L) 

where L is a least common multiple of p-j-1 , P2-1 , , Pn** 1 . the apparatus comprising: 

25 a calculation processing unit for obtaining residues M p 1 k n M p 2 k 2 ( , M pNkN modulo Pi k 1 . p 

2 k2 Pn KN ' respectively, of the plaintext M using a prescribed loop calculation with respect to 

the first secret key p 1 , p 2 , , p N ; and 

a decryption processing unit for recovering the plaintext M by applying Chinese remainder theorem to the res- 
idues Mp •) k 1f M p 2 k 2( . Mp N k N . 

30 

21. A cipher communication system, comprising: 

a sender apparatus having: 

35 an encryption/decryption key generation processing unit for setting N (^ 2) prime numbers Pi , p 2 , 

, p N as a first secret key, and a product Pi k 1 P2 k 2 p N k N as a first public key 

n, where k1, k2, kN are arbitrary positive integers, and determining a second public key e 

and a second secret key d which satisfy: 

40 ed m i (mod L) 

where L is a least common multiple of p-|-1, p 2 -1, , Pn-1. using the first secret key; and 

an encryption processing unit for obtaining a ciphertext C from a plaintext M according to: 

45 C »* M e (mod n) 

using the first public key n and the second public key e; and 

a receiver apparatus having: 

50 

a calculation processing unit for obtaining residues M p 1 k 1 ( M p 2 k 2 ,M pNkN modulo p-, k 1 

, p 2 k 2 , , p N k N , respectively, of the plaintext M using a prescribed loop calculation with 

respect to the first secret key Pi . p 2 . Pn ; and 

a decryption processing unit for recovering the plaintext M by applying Chinese remainder theorem to the 
55 residues M p , k t , M p 2 k 2 M p N k N . 

22. An authentication message sender apparatus for use in authenticating an authentication message sent from a 
sender to a receiver, the apparatus comprising: 
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an encryption/decryption key generation processing unit for setting at the sender side a first secret key given 

by N (i= 2) prime numbers p-i , p 2 , , Pn . a first public key n given by a product Pi k 1 p 2 k 2 

p N k N where k1, k2, , kN are arbitrary positive integers, a second public key e and 

a second secret key d which satisfy: 

ed a 1 (mod L) 

where L is a least common multiple of p., -1 , p 2 -1 , Pn - ** \ 

an authentication message hashing processing unit for obtaining at the sender side an authenticator h(M) by 
w hashing the authentication message M using a hash function h; and 

an authenticator encryption processing unit for obtaining at the sender side an encrypted authenticator h(C) of 
the authenticator h(M) according to: 

h{M) - h(C) e (mod n) 

is 

by obtaining residues h(C) p ^ k 1f h(C) p 2 K 2 . h ( c )p nkn rnodulo Pi k 1 , k 2 , , 

p N k N , respectively, of the encrypted authenticator h(C) using a prescribed loop calculation with respect to the 

first secret key , p 2 , , Pn. and applying Chinese remainder theorem to the residues h(C) p -| k 

i . h(C) p 2 k 2 , > h(C)p m k n • ancf tnen sending the encrypted authenticator h(C) and the authen- 

20 ti cation message M to the receiver. 

23. An authentication message receiver apparatus for use in authenticating an authentication message sent from a 

sender to a receiver, using a first secret key given by N 2) prime numbers Pi , p 2 , Pn » a * irst public 

key n given by a product p n k 1 Pa k 2 Pn k N where k1 , k2, ......... kN are arbitrary positive 

25 integers, a second public key e and a second secret key d which satisfy: 

ed » 1 (mod L) 

where L is a least common multiple of p r 1, P 2 -1. PnH . the apparatus comprising: 

30 

an authenticator decryption processing unit for obtaining a first authenticator h(M)-| by calculating h(C) e (mod 
n) from an encrypted authenticator h(C) received from the sender using the second public key e; 
an authentication message hashing processing unit for obtaining a second authenticator h(M) 2 by hashing an 
authentication message M received from the sender using a hash function h; and 
35 an authenticity verification processing unit for judging an authenticity of the authentication message M at the 

receiver side by checking whether the first authenticator h(M) 1 and the second authenticator h(M) 2 coincide or 
not. 

24. An authentication system for authenticating an authentication message sent from a sender to a receiver, the sys- 
40 tern comprising: 

a sender apparatus having: 

an encryption/decryption key generation processing unit for setting at the sender side a first secret key 

45 given by N {«= 2) prime numbers p 1 , p 2 , . Pn • a *' rst public key n given by a product p-| k 1 

p 2 k 2 Pn k N where k1 , k2, , kN are arbitrary positive integers, a second public 

key e and a second secret key d which satisfy: 

ed = 1 (mod L) 

50 

where L is a least common multiple of p r 1 , p 2 -1, , Pm-1 : 

an authentication message hashing processing unit for obtaining at the sender side an authenticator h(M) 
by hashing the authentication message M using a hash function h; and 

an authenticator encryption processing unit for obtaining at the sender side an encrypted authenticator 
55 h(C) of the authenticator h(M) according to: 

h(M) - h(C) G (modn) 
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by obtaining residues h(C) p 1 k 1 , h(C) p 2 k 2 > n (C) p n k n modulo p, k 1 . p 2 k 2 

, p N k N , respectively, of the encrypted authenticator h(C) using a prescribed loop calculation with respect 

to the first secret key Pi , p 2 , • • • .Pn . ancj applying Chinese remainder theorem to the residues 

n (C) p 1 k 1 n ( c )p 2 k 2, n ( c )p n k n • and then sending the encrypted authenticator h(C) and 

5 the authentication message M to the receiver; and 

a receiver apparatus having: 

an authenticator decryption processing unit for obtaining a first authenticator h(M) 1 by calculating h(C) e 
10 (mod n) from the encrypted authenticator h(C) received from the sender using the second public key e; 

an authentication message hashing processing unit for obtaining a second authenticator h(M) 2 by hashing 
the authentication message M received from the sender using the hash function h; and 
an authenticity verification processing unit for judging an authenticity of the authentication message M by 
checking whether the first authenticator h(M)-j and the second authenticator h(M) 2 coincide or not. 

75 

25. A computer usable medium having computer readable program code means embodied therein for causing a com- 
puter to function as an encryption apparatus, the computer readable program code means includes: 

first computer readable program code means for causing said computer to set N 2) prime numbers p-j , p 2 , 

20 , p N as a f irst secret key, and a product Pi k 1 p 2 k 2 p N k N as a first public key n, 

where k1, k2, , kN are arbitrary positive integers, and determining a second public key e and a 

second secret key d which satisfy: 



25 



ed « 1 (mod L) 

where L is a least common multiple of p 1 -1 , p 2 -1 Pni-1 . using the first secret key; and 

second computer readable program code means for causing said computer to obtain a ciphertext C from a 
plaintext M according to: 

so C = M e (mod n) 

using the first public key n and the second public key e. 

26. A computer usable medium having computer readable program code means embodied therein for causing a com- 
35 puter to function as a decryption apparatus for decrypting a ciphertext C obtained from a plaintext M according to: 

C - M e (mod n) 

using a first secret key given by N (^ 2) prime numbers p 1 , p 2 , ,p N , first public key n given by a 

40 product Pi k 1 p 2 k 2 Pn k N where kl , k2, , kN are arbitrary positive integers, a second 

public key e and a second secret key d which satisfy: 

ed - 1 (mod L) 

45 where L is a least common multiple of p-j -1 , p 2 -1 , , p N -1 , the computer readable program code means 

includes: 

first computer readable program code means for causing said computer to obtain residues M p1 k1| M p2k2( 

Mp n k n modulo Pi k1 .p 2 k2 . ,p N kN , respectively, of the plaintext M using a 

so prescribed loop calculation with respect to the first secret key p-j , p 2 , , Pn ; and 

second computer readable program code means for causing said computer to recover the plaintext M by apply- 
ing Chinese remainder theorem to the residues M p k 1 M p 2 k 2 ,M pNkN . 

27. A computer usable medium having computer readable program code means embodied therein for causing a com- 
55 puter to function as an authentication message sender apparatus for use in authenticating an authentication mes- 
sage sent from a sender to a receiver, the computer readable program code means includes: 

first computer readable program code means for causing said computer to set at the sender side a first secret 
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key given by N (* 2) prime numbers p t , p 2 , , Pn . a first P ubIic ke y n 9 iven b Y a P roduct Pi k 1 

p 2 k 2 Pn k n W here k1 , k2 f , kN are arbitrary positive integers, a second public key 

e and a second secret key d which satisfy: 

5 ed » 1 (mod L) 

where L is a least common multiple of p r 1, p 2 -1 , , Pn* 1 I 

second computer readable program code means for causing said computer to obtain at the sender side an 
authenticator h(M) by hashing the authentication message M using a hash function h; and 
10 third computer readable program code means for causing said computer to obtain at the sender side an 

encrypted authenticator h(C) of the authenticator h(M) according to: 

h(M) - h(C) e (mod n) 

75 by obtaining residues h(C) p , k 1 1 h(C) p 2 k 2 , h(C) p N k N modulo Pi k 1 . P 2 k 2 , , 

p N k N , respectively, of the encrypted authenticator h(C) using a prescribed loop calculation with respect to the 

first secret key p<| , p 2 , , Pn . and applying Chinese remainder theorem to the residues h(C) p -j k 

1, h (C) p 2 k 2, n (C) p N k N . and 1nen sending the encrypted authenticator h(C) and the authenti- 

cation message M to the receiver. 

20 

28. A computer usable medium having computer readable program code means embodied therein for causing a com- 
puter to function as an authentication message receiver apparatus for use in authenticating an authentication mes- 
sage sent from a sender to a receiver, using a first secret key given by N (£ 2) prime numbers Pi , p 2 , 

, p N , a first public key n given by a product Pi k 1 P 2 k 2 Pn k N where k1 , k2, , kN are 

25 arbitrary positive integers, a second public key e and a second secret key d which satisfy: 

ed = 1 (mod L) 

where Lis a least common multiple of p r 1,p 2 -1, • • ,p N -1, the computer readable program code means 

30 includes: 

first computer readable program code means for causing said computer to obtain a first authenticator h(M)., by 
calculating h(C) e (mod n) from an encrypted authenticator h(C) received from the sender using the second 
public key e; 

35 second computer readable program code means for causing said computer to obtain a second authenticator 

h(M) 2 by hashing an authentication message M received from the sender using a hash function h; and 
third computer readable program code means for causing said computer to judge an authenticity of the authen- 
tication message M at the receiver side by checking whether the first authenticator h(M)., and the second 
authenticator h(M) 2 coincide or not. 
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